From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: Trying to install Apache 2.4 with OpenSSL 1.1 instead of LibreSSL
To: Theo Buehler <tb@theobuehler.org>
Cc: ports@openbsd.org
Date: Tue, 30 Jan 2024 11:31:17 +0000

On 2024/01/30 11:09, Theo Buehler wrote:
> > what about this one so I can commit it upstream as well ?
> 
> Please do not.

Agreed, it is very much a quick hack to sidestep the problem, I do not
recommend committing upstream, and am a bit unsure about even just
putting it in ports (it disables ALPN, needed by h2).

It's nice that this experimental code in Chrome found a bug, but
it would have been nicer if rather than WONTFIX they had adapted it
slightly to enforce ordering of SNI and ALPN to bypass the problem and
work with others to get the server code fixed...

> > Index: modules/ssl/ssl_private.h
> > ===================================================================
> > --- modules/ssl/ssl_private.h	(revision 1915475)
> > +++ modules/ssl/ssl_private.h	(working copy)
> > @@ -249,7 +249,7 @@
> >  #endif
> >  
> >  /* ALPN Protocol Negotiation */
> > -#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
> > +#if !defined(LIBRESSL_VERSION_NUMBER) && defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
> >  #define HAVE_TLS_ALPN
> >  #endif
> >  
>